Facebook has disclosed that its engineers have exposed, and tackled, a grave data breach on September 25, last Tuesday, which affected roughly 50m account holders. Impacted users have been sent a notice and automatically logged out of their accounts, implying that they required to log back again to gain safe access.

Facebook shares, which were already downward roughly 1.5% before the declaration, extended losses after the disclosure and ended downward 2.6%. Nevertheless, the news might get worse for the social media titan as, under the newly-introduced General Data Protection Regulation, the EU might impose a penalty that would equate to 4% of Facebook’s yearly international income – a figure that would presently amount to roughly €1.63bn.

Chairman, Chief Executive Officer and Founder of Facebook Mark Zuckerberg said in a Facebook post the previous week: “On Tuesday, we learnt that an attacker abused a technical weakness to steal access tokens that would let them log into approximately 50 million people’s accounts on Facebook. We don’t yet know whether these accounts were abused but we are continuing to look into this and will inform when we know more.”

He went on to say: “I’m pleased we found this and fixed the weakness. But it certainly is a problem that this occurred in the first place. I think this underscores the attacks that our community and our facilities encounter.”

This is the latest in a particularly chaotic time for Facebook in relation to the safety of its users’ confidential information and data. Earlier this year the group had to cope with the Cambridge Analytica scandal when an external business was found to have shared private data obtained without the expressed approval of those it related to. This breach happened before the launch of GDPR.

Facebook has said that the hacker who performed this cyberattack disclosed three viruses that were added to the site’s “View As” feature in July 2017. “View as” lets users to view what their profile looks like to other Facebook users. Facebook said it tackled the virus on Thursday night and has informed the related law enforcement organizations including the FBI and the Irish Data Protection Commission in order to abide by General Data Protection Regulation (GDPR) requirements.

Thus far Facebook has been unable to find the cyber attackers or their location. Guy Rosen, Facebook’s Vice President of product, said on a call with journalists last Friday: “We haven’t seen that the access tokens were used to access personal messages or posts or post anything to the accounts. It is important to say: The attackers might use the account as if they are the account holder. Our inquiry is early and it’s difficult to decide precisely who was behind this. We might never know.”

After Facebook made the declaration Friday disclosing the data breach, Democratic Senator Mark Warner for Virginia – who is also the Vice Chairman of the Senate Intelligence Committee – called for a “complete investigation” into the hacking occurrence. He said: “Today’s exposure is a reminder regarding the risks posed when a small number of firms like Facebook or the credit bureau Equifax are able to gather so much private data about individual Americans without sufficient safety measures. This is another sobering indicator that Congress requires to step up and take action to safeguard the secrecy and safety of social media users.”